Injecting code in HTML

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am trying to write a class in php that removes possible injections in user
given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that would,
(IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.

but before I do that I need to work out what is potentially malicious and
what is not.

My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>). By
that I mean there is no tag that can make my server behave in a certain way,
only the elements in the tag can be hurtful.

My second assertion is that the element 'style="...", in any tag, cannot
contain any malicious code, (that is for example contain any donkey(...)
etc), so I would be right in allowing any style="...", id="..." and
class="..." elements.

Are my above assertions right?
And where would I be able to find a more detailed article on the possible
dangers of HTML tags and elements?

I do realize that php can have it's own problems, but I would like to limit
myself to 'normal' html.

Many thanks in advance.


Re: Injecting code in HTML

Quoted text here. Click to load it

If you're working with a database, beware of SQL Injection, ie:

<textarea>DROP TABLE</textarea> has some good

Adrienne Boswell
Please respond to the group so others can share

Site Timeline